🔐Private API Access

Authenticated Routes

Signed API request are required when interacting with:

/v1/balances/*
/v1/users/*
/v1/payouts/*

When generating an API Client key, you’ll receive:

Public Key (Base58) – stored by Swapped
Private Key (Base58, 32 bytes) – used to sign requests

⚠️ Your Commerce API Client private key is never stored by Swapped. If lost, it cannot be recovered — generate a new key instead.

Signing Requests

Every signed API request must include a signature generated from a canonical string. This canonical string is a strict, concatenated sequence of values from the request — no separators, no whitespace, and no JSON formatting.

Canonical String Format

{METHOD}{PATH}{TIMESTAMP}{IDEMPOTENCY_KEY}{BODY_SHA256}

Component Breakdown

Component

Description

Example Value

Included Exactly As

METHOD

Uppercase HTTP method

POST

"POST"

PATH

Full request path (no domain, no query params)

/v1/payouts

"/v1/payouts"

TIMESTAMP

Date.now() in milliseconds

1733359952000

"1733359952000"

IDEMPOTENCY_KEY

UUID generated per request

bcd1f714-66e8-49f2-8c7d-d21afa474ef7

"bcd1f714-66e8-49f2-8c7d-d21afa474ef7"

BODY_SHA256

Hex-encoded SHA-256 hash of raw request body (empty string if no body)

2b7df2035a…

"2b7df2035a..."

Important: These fields are concatenated directly — no spaces, newlines, or separators.

Example Canonical String

Raw values

Field

Value

METHOD

POST

PATH

/v1/payouts

TIMESTAMP

1733359952000

IDEMPOTENCY_KEY

bcd1f714-66e8-49f2-8c7d-d21afa474ef7

BODY_SHA256

2b7df2035a...

Concatenated canonical string:

POST/v1/payouts1733359952000bcd1f714-66e8-49f2-8c7d-d21afa474ef72b7df2035a...

Notes and Tips

PATH must not include domain or query string (for example, use /v1/payouts, not https://api.example.com/v1/payouts?foo=bar)
BODY_SHA256 must hash the exact raw body bytes and extra whitespace or comments will change the signature
IDEMPOTENCY_KEY is required even for GET requests
TIMESTAMP must match the value in X-Sign-Timestamp

Header

Description

X-API-Key

Your public key

X-Signature

Base64 signature generated with your private key

X-Sign-Timestamp

Date.now() in milliseconds

X-Idempotency-Key

Unique UUID per request

Below are some language specific examples for generating the X-Signature:

const crypto = require('crypto');
const axios = require('axios');
const { sha512 } = require('@noble/hashes/sha2');
const bs58 = (await import('bs58')).default;
const ed25519 = await import('@noble/ed25519');
ed25519.etc.sha512Sync = (...args) =>
  sha512(ed25519.etc.concatBytes(...args));

const timestamp = Date.now();
const idempotencyKey = crypto.randomUUID();
const body = JSON.stringify(payload);
const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
const path = '/v1/payouts';

const canonical = [
  'POST',
  path,
  timestamp,
  idempotencyKey,
  bodyHash,
].join('');

const privateKeyBytes = bs58.decode(process.env.API_PRIV_KEY);
const messageBytes = new TextEncoder().encode(canonical);
const signatureBytes = ed25519.sign(messageBytes, privateKeyBytes);
const signatureB64 = Buffer.from(signatureBytes).toString('base64');

await axios.post(`https://pay-api.swapped.com${path}`, payload, {
  headers: {
    'X-API-Key': process.env.API_PUB_KEY,
    'X-Signature': signatureB64,
    'X-Sign-Timestamp': String(timestamp),
    'X-Idempotency-Key': idempotencyKey,
    'Content-Type': 'application/json',
  }
});

import time
import uuid
import hashlib
import base64
import os
import requests
from nacl.signing import SigningKey
from base58 import b58decode

private_key = b58decode(os.getenv('PRIVATE_KEY', ''))
signing_key = SigningKey(private_key)

timestamp = str(int(time.time() * 1000))
idempotency_key = str(uuid.uuid4())
body = json.dumps(payload)
body_hash = hashlib.sha256(body.encode()).hexdigest()
path = "/v1/payouts"
canonical = "POST" + path + timestamp + idempotency_key + body_hash

signature = signing_key.sign(canonical.encode()).signature
signature_b64 = base64.b64encode(signature).decode()

response = requests.post(
    f'https://pay-api.swapped.com{path}',
    json=payload,
    headers={
        'X-API-Key': os.getenv('PUBLIC_KEY', ''),
        'X-Signature': signature_b64,
        'X-Sign-Timestamp': timestamp,
        'X-Idempotency-Key': idempotency_key,
        'Content-Type': 'application/json',
    },
)

<?php

use Tuupola\Base58;

$timestamp = (string)(int)(microtime(true) * 1000);

// Generate UUID v4
$data = random_bytes(16);
$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // Version 4
$data[8] = chr(ord($data[8]) & 0x3f | 0x80); // Variant bits
$idempotencyKey = vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));

$body = json_encode($payload);
$base58 = new Base58(["characters" => Base58::BITCOIN]);
$privateKeySeed = $base58->decode($apiPrivKey);

// Derive the full 64-byte secret key from the 32-byte seed
$keypair = sodium_crypto_sign_seed_keypair($privateKeySeed);
$secretKey = sodium_crypto_sign_secretkey($keypair);

$bodyHash = hash('sha256', $body);
$path = '/v1/payouts';
$canonical = 'POST' . $path . $timestamp . $idempotencyKey . $bodyHash;

$signature = sodium_crypto_sign_detached($canonical, $secretKey);
$signatureB64 = base64_encode($signature);

// Make the actual request
$ch = curl_init('https://pay-api.swapped.com' . $path);
curl_setopt_array($ch, [
    CURLOPT_POST => true,ss
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        'X-API-Key: ' . $apiPubKey,
        'X-Signature: ' . $signatureB64,
        'X-Sign-Timestamp: ' . $timestamp,
        'X-Idempotency-Key: ' . $idempotencyKey,
        'Content-Type: application/json',
    ],
    CURLOPT_POSTFIELDS => $body,
]);

$response = curl_exec($ch);
$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

Our Developer Postman collection is also configured to sign requests after you configure your keys.

PreviousPublic API Access NextWebhook Signatures

Last updated 1 month ago

hashtagAuthenticated Routes

hashtagSigning Requests

hashtagCanonical String Format

hashtagComponent Breakdown

hashtagExample Canonical String

hashtagNotes and Tips